Hello you all,
Microsoft is still trying to fix the PrintNightmare bugs. And after the
latest patch day we see lots of NTLMv2 auths on our printserver. And
_only_ on our printserver and not on any other member servers.
It is not that Kerberos does not work. I can ssh into that machine using
Kerberos I can connect with smbclient with kerberos. Also the logs are
really spammed with those messages. And it all started after we released
the last patchday updates from MS.
This is on RockyLinux with Samba Version 4.14.8 from Sernet. Also had
the same Problem on 4.14.7. smb.conf is below.
Everything seems to work as expected. It just is the number of NTLMv2
auths that made me look at this more closely.
Anyone seen something similar?
Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]:
[2021/10/19 14:22:55.209081, 3]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: Auth:
[winbind,NTLM_AUTH, nss_winbind, 1003] user [DOMAIN-02]\[user] at [Tue,
19 Oct 2021 14:22:55.209056 CEST] with [NTLMv2] status [NT_STATUS_OK]
workstation [HOST] remote host [unix:] became [DOMAIN-02]\[user]
[S-1-5-21-XXX-XXX-XXX-xxxx]. local host [unix:]
Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: [2021/10/19
14:22:55.209404, 3]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: Auth:
[DCE/RPC,(null)] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021
14:22:55.209385 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation
[HOST] remote host [ipv4:yyy.yyy.yyy.yyy:49949] became
[DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host
[ipv4:yyy.yyy.yyy.xxxx:445]
Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: [2021/10/19
14:22:55.213366, 4]
../../auth/auth_log.c:753(log_successful_authz_event_human_readable)
Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]:
Successful AuthZ: [DCE/RPC,NTLMSSP] user [DOMAIN-02]\[user]
[S-1-5-21-XXX-XXX-XXX-xxxx] at [Tue, 19 Oct 2021 14:22:55.213356 CEST]
Remote host [ipv4:yyy.yyy.yyy.yyy:49949] local host
[ipv4:yyy.yyy.yyy.xxxx:445]
Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]:
[2021/10/19 14:22:55.272006, 3]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: Auth:
[winbind,NTLM_AUTH, nss_winbind, 1003] user [DOMAIN-02]\[user] at [Tue,
19 Oct 2021 14:22:55.271994 CEST] with [NTLMv2] status [NT_STATUS_OK]
workstation [HOST] remote host [unix:] became [DOMAIN-02]\[user]
[S-1-5-21-XXX-XXX-XXX-xxxx]. local host [unix:]
Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: [2021/10/19
14:22:55.272247, 3]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: Auth:
[DCE/RPC,(null)] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021
14:22:55.272236 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation
[HOST] remote host [ipv4:yyy.yyy.yyy.yyy:49949] became
[DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host
[ipv4:yyy.yyy.yyy.xxxx:445]
Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: [2021/10/19
14:22:55.275198, 4]
../../auth/auth_log.c:753(log_successful_authz_event_human_readable)
Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]:
Successful AuthZ: [DCE/RPC,NTLMSSP] user [DOMAIN-02]\[user]
[S-1-5-21-XXX-XXX-XXX-xxxx] at [Tue, 19 Oct 2021 14:22:55.275188 CEST]
Remote host [ipv4:yyy.yyy.yyy.yyy:49949] local host
[ipv4:yyy.yyy.yyy.xxxx:445]
smb.conf
[global]
netbios name = Printserver
server string = Printserver
security = ADS
realm = HQ.DOMAIN.DE
workgroup = DOMAIN-02
max log size = 50000
disable netbios = yes
smb ports = 445
server min protocol = SMB2
client min protocol = SMB2
#log level = 4
log level = 1 auth_audit:5
logging =syslog only
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
writeable =YES
map acl inherit = yes
store dos attributes = yes
inherit acls = Yes
username map = /etc/samba/smbusers
interfaces = lo eth0
bind interfaces only = Yes
##idmap##
# Default idmap config used for BUILTIN and local windows
accounts/groups
idmap config *:backend = tdb
idmap config *:range = 1000000-2000000
# idmap config for domain DOMAIN-02
idmap config DOMAIN-02:backend = ad
idmap config DOMAIN-02:range = 500-65555
idmap config DOMAIN-02:schema_mode = rfc2307
idmap config DOMAIN-02:unix_nss_info = yes
winbind use default domain = Yes
winbind offline logon = yes
winbind refresh tickets = yes
#Printing
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolss: architecture = Windows x64
[printers]
path = /var/spool/samba/
printable = yes
printing = cups
[print$]
path = /srv/samba_printer_drivers/
read only = no
--
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development
BRAIN Biotech AG
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Same here... Have set up one of my DCs new with the packages from Louis. This DC is also my print server. Thought at first I made an error but yesterday I found this: https://www.bleepingcomputer.com/news/microsoft/new-windows-10-kb5006670-update-breaks-network-printing/ Taht's excatly the error I'm getting. But I couldn't check this with uninstallting the last Windows patch until now. Regards Ingo cn--- via samba schrieb am 19.10.2021 um 14:37:> Hello you all, > Microsoft is still trying to fix the PrintNightmare bugs. And after > the latest patch day we see lots of NTLMv2 auths on our printserver. > And _only_ on our printserver and not on any other member servers. > > It is not that Kerberos does not work. I can ssh into that machine > using Kerberos I can connect with smbclient with kerberos. Also the > logs are really spammed with those messages. And it all started after > we released the last patchday updates from MS. > This is on RockyLinux with Samba Version 4.14.8 from Sernet. Also had > the same Problem on 4.14.7. smb.conf is below. > Everything seems to work as expected. It just is the number of NTLMv2 > auths that made me look at this more closely. > > Anyone seen something similar? > > > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: > [2021/10/19 14:22:55.209081,? 3] > ../../auth/auth_log.c:653(log_authentication_event_human_readable) > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: Auth: > [winbind,NTLM_AUTH, nss_winbind, 1003] user [DOMAIN-02]\[user] at > [Tue, 19 Oct 2021 14:22:55.209056 CEST] with [NTLMv2] status > [NT_STATUS_OK] workstation [HOST] remote host [unix:] became > [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host [unix:] > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: > [2021/10/19 14:22:55.209404,? 3] > ../../auth/auth_log.c:653(log_authentication_event_human_readable) > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: Auth: > [DCE/RPC,(null)] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021 > 14:22:55.209385 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation > [HOST] remote host [ipv4:yyy.yyy.yyy.yyy:49949] became > [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host > [ipv4:yyy.yyy.yyy.xxxx:445] > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: > [2021/10/19 14:22:55.213366,? 4] > ../../auth/auth_log.c:753(log_successful_authz_event_human_readable) > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: > Successful AuthZ: [DCE/RPC,NTLMSSP] user [DOMAIN-02]\[user] > [S-1-5-21-XXX-XXX-XXX-xxxx] at [Tue, 19 Oct 2021 14:22:55.213356 CEST] > Remote host [ipv4:yyy.yyy.yyy.yyy:49949] local host > [ipv4:yyy.yyy.yyy.xxxx:445] > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: > [2021/10/19 14:22:55.272006,? 3] > ../../auth/auth_log.c:653(log_authentication_event_human_readable) > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: Auth: > [winbind,NTLM_AUTH, nss_winbind, 1003] user [DOMAIN-02]\[user] at > [Tue, 19 Oct 2021 14:22:55.271994 CEST] with [NTLMv2] status > [NT_STATUS_OK] workstation [HOST] remote host [unix:] became > [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host [unix:] > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: > [2021/10/19 14:22:55.272247,? 3] > ../../auth/auth_log.c:653(log_authentication_event_human_readable) > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: Auth: > [DCE/RPC,(null)] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021 > 14:22:55.272236 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation > [HOST] remote host [ipv4:yyy.yyy.yyy.yyy:49949] became > [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host > [ipv4:yyy.yyy.yyy.xxxx:445] > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: > [2021/10/19 14:22:55.275198,? 4] > ../../auth/auth_log.c:753(log_successful_authz_event_human_readable) > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: > Successful AuthZ: [DCE/RPC,NTLMSSP] user [DOMAIN-02]\[user] > [S-1-5-21-XXX-XXX-XXX-xxxx] at [Tue, 19 Oct 2021 14:22:55.275188 CEST] > Remote host [ipv4:yyy.yyy.yyy.yyy:49949] local host > [ipv4:yyy.yyy.yyy.xxxx:445] > > > > smb.conf > > [global] > ??????? netbios name = Printserver > ??????? server string = Printserver > ??????? security = ADS > ??????? realm = HQ.DOMAIN.DE > ??????? workgroup = DOMAIN-02 > ??????? max log size = 50000 > ??????? disable netbios = yes > ??????? smb ports = 445 > ??????? server min protocol = SMB2 > ??????? client min protocol = SMB2 > ??????? #log level = 4 > ??????? log level = 1 auth_audit:5 > ??????? logging =syslog only > ??????? kerberos method = secrets and keytab > ??????? dedicated keytab file = /etc/krb5.keytab > ??????? writeable =YES > ??????? map acl inherit = yes > ??????? store dos attributes = yes > ??????? inherit acls = Yes > ??????? username map = /etc/samba/smbusers > > ??????? interfaces = lo eth0 > ??????? bind interfaces only = Yes > ??????? ##idmap## > ??????? # Default idmap config used for BUILTIN and local windows > accounts/groups > ??????? idmap config *:backend = tdb > ??????? idmap config *:range = 1000000-2000000 > > ??????? # idmap config for domain DOMAIN-02 > ??????? idmap config DOMAIN-02:backend = ad > ??????? idmap config DOMAIN-02:range = 500-65555 > ??????? idmap config DOMAIN-02:schema_mode = rfc2307 > ??????? idmap config DOMAIN-02:unix_nss_info = yes > ??????? winbind use default domain = Yes > ??????? winbind offline logon = yes > ??????? winbind refresh tickets = yes > > ??????? #Printing > ??????? rpc_server:spoolss = external > ??????? rpc_daemon:spoolssd = fork > ??????? spoolss: architecture = Windows x64 > > [printers] > ?????? path = /var/spool/samba/ > ?????? printable = yes > ?????? printing = cups > > [print$] > ?????? path = /srv/samba_printer_drivers/ > ?????? read only = no >
On Tue, Oct 19, 2021 at 02:37:55PM +0200, cn--- via samba wrote:>Hello you all, >Microsoft is still trying to fix the PrintNightmare bugs. And after >the latest patch day we see lots of NTLMv2 auths on our printserver. >And _only_ on our printserver and not on any other member servers. > >It is not that Kerberos does not work. I can ssh into that machine >using Kerberos I can connect with smbclient with kerberos. Also the >logs are really spammed with those messages. And it all started after >we released the last patchday updates from MS. >This is on RockyLinux with Samba Version 4.14.8 from Sernet. Also had >the same Problem on 4.14.7. smb.conf is below. >Everything seems to work as expected. It just is the number of NTLMv2 >auths that made me look at this more closely.NTLM auths can happen when a machine isn't using name-based lookups (i.e. not using DNS names). Kerberos requires name-based lookups in order to get tickets. That's usually the cause of NTLM.
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Jeremy Allison via samba > Verzonden: dinsdag 19 oktober 2021 19:11 > Aan: cn at brain-biotech.de > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Printserver after latest MS updates > > On Tue, Oct 19, 2021 at 02:37:55PM +0200, cn--- via samba wrote: > >Hello you all,....> > NTLM auths can happen when a machine isn't using name-based > lookups (i.e. not using DNS names). Kerberos requires name-based > lookups in order to get tickets. That's usually the cause of > NTLM.Well that explains it all, my DNS setup is perfect here, and most probley why i hardly seen problems here. All my servers do have A and PTR records set and everything used FQDN's Nothing uses for example \\servername\sharename. Thanks on this update Jeremy, most welkom, Greetz, Louis
Am 19.10.2021 um 14:37 schrieb cn--- via samba:> Hello you all, > Microsoft is still trying to fix the PrintNightmare bugs. And after the latest patch day we see lots of NTLMv2 auths on our printserver. And _only_ on our printserver and not on any other member > servers. > > It is not that Kerberos does not work. I can ssh into that machine using Kerberos I can connect with smbclient with kerberos. Also the logs are really spammed with those messages. And it all started > after we released the last patchday updates from MS. > This is on RockyLinux with Samba Version 4.14.8 from Sernet. Also had the same Problem on 4.14.7. smb.conf is below. > Everything seems to work as expected. It just is the number of NTLMv2 auths that made me look at this more closely. > > Anyone seen something similar? > > > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: [2021/10/19 14:22:55.209081,? 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable) > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]:?? Auth: [winbind,NTLM_AUTH, nss_winbind, 1003] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021 14:22:55.209056 CEST] with [NTLMv2] > status [NT_STATUS_OK] workstation [HOST] remote host [unix:] became [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host [unix:] > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: [2021/10/19 14:22:55.209404,? 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable) > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]:?? Auth: [DCE/RPC,(null)] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021 14:22:55.209385 CEST] with [NTLMv2] status [NT_STATUS_OK] > workstation [HOST] remote host [ipv4:yyy.yyy.yyy.yyy:49949] became [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host [ipv4:yyy.yyy.yyy.xxxx:445] > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: [2021/10/19 14:22:55.213366,? 4] ../../auth/auth_log.c:753(log_successful_authz_event_human_readable) > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: Successful AuthZ: [DCE/RPC,NTLMSSP] user [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx] at [Tue, 19 Oct 2021 14:22:55.213356 CEST] Remote > host [ipv4:yyy.yyy.yyy.yyy:49949] local host [ipv4:yyy.yyy.yyy.xxxx:445] > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]: [2021/10/19 14:22:55.272006,? 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable) > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de winbindd[1468]:?? Auth: [winbind,NTLM_AUTH, nss_winbind, 1003] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021 14:22:55.271994 CEST] with [NTLMv2] > status [NT_STATUS_OK] workstation [HOST] remote host [unix:] became [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host [unix:] > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: [2021/10/19 14:22:55.272247,? 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable) > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]:?? Auth: [DCE/RPC,(null)] user [DOMAIN-02]\[user] at [Tue, 19 Oct 2021 14:22:55.272236 CEST] with [NTLMv2] status [NT_STATUS_OK] > workstation [HOST] remote host [ipv4:yyy.yyy.yyy.yyy:49949] became [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx]. local host [ipv4:yyy.yyy.yyy.xxxx:445] > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: [2021/10/19 14:22:55.275198,? 4] ../../auth/auth_log.c:753(log_successful_authz_event_human_readable) > Okt 19 14:22:55 printserver.hq.DOMAIN-biotech.de smbd[2135]: Successful AuthZ: [DCE/RPC,NTLMSSP] user [DOMAIN-02]\[user] [S-1-5-21-XXX-XXX-XXX-xxxx] at [Tue, 19 Oct 2021 14:22:55.275188 CEST] Remote > host [ipv4:yyy.yyy.yyy.yyy:49949] local host [ipv4:yyy.yyy.yyy.xxxx:445]Hello Samba-Group, I also ran into PrintNightmare issues today after applying the Update 2021-10. My Client PC is running W10 LTSC 2019. My Samba fileserver is running on debian buster using samba 4.9.5 as an active directory member. If I log in with an AD account on the client. I can connect printers and manage them as usual with printmanagement connecting to the server. But if i log in with an local client account and connect to the server with entering? user/password shares are working but printers can not be connected and printmanagement does not list printers or drivers. I found the following interesting post https://www.bleepingcomputer.com/forums/t/759880/kb5006670-network-printer-problems-again-this-month/page-8#entry5263758 ------------------------------------------------------------------------------------------- After Sniffing around in Wireshark seems like this newer spooler is doing two things different: ? 1) On the DCERPC call it has added NTLMSSP_NEGOTIATE and Attempts to Authenticate?NTLMSSP_CHALLANGE 2) On the SPOOLSS call the Name of the Printer is now encrypted ? Failing (Oct DLL's)?0x000006e4?RPC_S_CANNOT_SUPPORT? Attached File <https://www.bleepingcomputer.com/forums/index.php?app=core&module=attach§ion=attach&attach_id=235499> ?*SnifferNg.png* <https://www.bleepingcomputer.com/forums/index.php?app=core&module=attach§ion=attach&attach_id=235499> ??*135.19KB* ??2 downloads ? Working (Sept DLL's) Attached File <https://www.bleepingcomputer.com/forums/index.php?app=core&module=attach§ion=attach&attach_id=235498> ?*SnifferOK.png* <https://www.bleepingcomputer.com/forums/index.php?app=core&module=attach§ion=attach&attach_id=235498> ??*137.39KB* ??0 downloads ? Above are to a 2003 server from Win10 ? I think this is a problem with older server's not knowing how to handle encryption and the spooler not falling back to unencrypted communications https://docs.microsoft.com/en-us/windows/win32/api/rpcasync/nf-rpcasync-rpcbindingbind <https://docs.microsoft.com/en-us/windows/win32/api/rpcasync/nf-rpcasync-rpcbindingbind> ? ? HTH, Mike Pisano ------------------------------------------------------------------------------------------- On bleepingcomputer they replace the files localspl.dll win32spl.dll and spoolsv.exe in c:\windows\system32 with version from Update 2021-09. This temporary workaround works for me. Have not yet figured out an other way to get printing working with local accounts against the samba server. Good Night, Achim Gottinger